Amazon has prevented more than 1,800 suspected North Korean operatives from securing employment since April 2024, as the Pyongyang regime continues efforts to place IT workers in remote roles at Western companies to generate revenue for the regime. Amazon's Senior Vice President and Chief Security Officer, Stephen Schmidt, revealed the figures in a LinkedIn post, noting a 27% quarter-on-quarter increase in the number of detected DPRK-affiliated applications this year. The aim, he said, is for operatives to "get hired, get paid, and funnel wages back to fund the regime's weapons programs."[1]
Amazon employs a combination of artificial intelligence tools and human verification to screen applicants. The AI system flags connections to nearly 200 high-risk institutions, application anomalies, and geographic inconsistencies, followed by background checks, credential verification, and interviews. Operatives have refined their approaches, targeting credible software engineers for identity theft, hijacking dormant LinkedIn accounts via compromised credentials, and increasingly applying for AI and machine learning positions. They often rely on "laptop farms," US-based computers remotely controlled from abroad, to mask their locations.
Subtle indicators include shifting educational claims (from East Asian universities to those in American states with no income tax, and now California and New York institutions), mismatched academic details, and phone numbers formatted with "+1" rather than "1". Schmidt emphasized that the issue extends beyond Amazon and affects the industry on a large scale. US authorities have long warned of North Korean schemes involving stolen or forged American identities to secure remote IT jobs. In May 2024, the FBI and partners issued guidance on these threats.
In July 2025, Christina Marie Chapman, a 50-year-old from Arizona, was sentenced to 102 months in prison for operating a laptop farm that enabled North Korean workers to gain positions at over 300 US companies, generating more than $17 million in revenue. Chapman hosted company-issued laptops at her home and shipped devices overseas, including to a city in China near the North Korean border.
Earlier actions included searches of multiple laptop farms and indictments of facilitators. The Department of Justice estimates that such operations have funneled substantial funds to Pyongyang, supporting its weapons development. Schmidt urged organizations to scrutinize databases for patterns in resumes, emails, phone numbers, and educational backgrounds. He advised multi-stage identity verification, monitoring unusual remote access or unauthorized hardware, and reporting suspicions to the FBI or local law enforcement.
Sharing intelligence across the sector, he argued, would further complicate these operations. The FBI recommends thorough checks of identity documents, prior employment, and education, and, where feasible, consideration of in-person meetings.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators-of-compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.cybersecurityintelligence.com/blog/amazon-blocks-over-1800-suspected-north-korean-job-applications-9004.html
Comments